How To Get Started With The NIST Cybersecurity Respond Function

by Katie Fritchen on November 19, 2020

The Respond Function creates a roadmap for managing a cybersecurity incident

Virtually every district across the country is working hard to address cybersecurity for K12 schools. It’s a critical issue, especially because hackers take advantage of crises like the COVID-19 pandemic. And because the pandemic has forced districts to transition to remote learning in some form.

Many districts are using the NIST Cybersecurity Framework to guide their cybersecurity efforts. Neal Richardson, the Director of IT at Hillsboro-Deering School District in New Hampshire, has implemented the Framework, so we talked with him to learn more about his experiences and provide you with his advice. The goal of this series is to give you an overview of the Framework along with implementation tips from Neal himself.

So far, we’ve covered the NIST Cybersecurity Identify Function, Protect Function, and Detect Function. This is the fourth entry in the series that addresses the NIST Cybersecurity Respond Function.

Sponsorships Available

About the NIST Cybersecurity Respond Function

Being the victim of a cybersecurity incident is stressful, and it’s not the time to figure out how to respond. When you make plans ahead of time, you have the luxury of thinking through all the implications and developing effective processes to manage the problem.

In some situations, state regulations mandate part of your response, such as disclosing a data breach incident within a set amount of time. But, there is a lot to do after you handle the mandates. You’ll need to analyze the incident to determine how it happened, and its scope and impact. You’ll also need to define procedures for containing the attack and coordinating communications with stakeholders and law enforcement.

When you have completed the Respond Function, you will be able to:
Quickly respond to an incident because you’ve already defined the procedures to follow during and after an incident
Communicate to the right stakeholders and law enforcement based on pre-defined procedures
Complete the response activities that are needed to contain the incident and support recovery such as forensic analysis to determine scope and impact
Quickly contain and resolve an incident
Improve your detection and response plans based on what you learned from an incident

Getting Started with the NIST Cybersecurity Respond Function

The response phase of a cybersecurity incident is perhaps the least enjoyable part of being in IT. It feels like the whole world is on fire, and you’re the one responsible for putting it out. That’s why you need to establish a playbook for different types of scenarios before an incident occurs. You can’t plan for everything that may happen because no two incidents are the same. But, you can plan what needs to happen for specific types of incidents, and you can improve those plans based on your future experiences.

For example, assume that you’ve detected an account takeover. The first thing you need to do is secure the account to contain the damage. Then, you need to analyze that account to identify emails sent after the takeover, documents that were shared or modified, and any other action that a cybercriminal could have taken while they had control of the account.

Pro Tip: You know where your skeletons are. You know what would make a really bad day for you. Neal recommends that is where you should start. Ask yourself, “What would be my worst day?” Then play out that scenario, finding ways to modify your plans, and adapt them to make the process as smooth as possible. Incorporate these three strategies into your response plans.

1. Streamline your communications. You need to communicate with your administrative team, including your superintendent, business manager and other people in key administrative positions.

“In New Hampshire, we have a law that requires us to notify the state attorney general if we can’t be sure that the exposed data won’t be used for malicious purposes. Of course, 9 times out of 10 there’s no way to definitely determine that,” explains Richardson.

“And a lot of news outlets monitor that attorney general notification for school data breaches. So, I walk through what has happened with my administrative team, what the impacts are, and what we’ve done to address it. This way, they are prepared to communicate with all the teachers, parents, news agencies, and other stakeholders that they’re likely to hear from.”

2. Develop partnerships with law enforcement. You’ll need to communicate with local and federal law enforcement. Make sure you know who to talk to when an incident occurs. Try to prepare for what questions they will ask and what information they may need.

3. Develop partnerships with your cyber insurance provider. Contact your insurance provider to identify the person(s) they have on retainer to handle cases for you. Establish a relationship with your contact person before something happens.

Many K-12 IT teams are overworked and underfunded, but the need for developing an effective cybersecurity infrastructure is critical, regardless of the cybersecurity myths that still haunt the industry. The NIST Framework removes one thing from your to-do list. Once you have worked your way through the five Functions, when you do experience a cybersecurity attack, it won’t seem as if the whole world is on fire!

With recent incidents of ransomware, Zoom/Google Meet “bombing”, and other issues, K-12 cybersecurity is at the top of everyone’s mind. Using a framework will help you prioritize and focus your efforts to work toward continual improvement. This K-12 NIST Cybersecurity Framework series is meant to help you use this popular framework to get started in your district. Protect your students, staff, and community stakeholders from the impacts of a data breach by improving your data security protections.

Look for the last installment of this series addressing the Recover Function next week! Or, you can watch the full webinar recording with Neal Richardson here.